Sonatype flags log4j as vulnerable

Question

Sonatype flags log4j as vulnerable

Closed this issue 3 years ago · 1 comments

Java version: 12.0.2, vendor: Oracle
Apache Maven 3.6.0

The build generates this message:

[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit (audit-dependencies) on project quaerite-core: Detected 1 vulnerable components:
[ERROR]   log4j:log4j:jar:1.2.17:compile; https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.17?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR]     * [CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen... (3.7); https://ossindex.sonatype.org/vulnerability/d3477f9c-032a-44a7-a5e1-02ae35e4737c?component-type=maven&component-name=log4j.log4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
[ERROR]     * [CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat... (9.8); https://ossindex.sonatype.org/vulnerability/e6e4ebea-da12-4bde-8f24-6272925ad093?component-type=maven&component-name=log4j.log4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1

Answer 1 · 2021-12-13T16:16:21.000Z

Upgrade to 2.15.0 coming soon